Intelligent CISO Issue 54 | Page 21

cyber trends tracking malicious campaigns that use domains generated by a dictionary domain generation algorithm ( DDGA ) to run scams and spread riskware , spyware , adware , potentially unwanted programs and pornographic content . This attack is widespread and impacts targets across many industries .
VexTrio actors heavily use domains and the DNS protocol to operate their campaigns . The actors leverage vulnerable WordPress websites as attack vectors to serve fraudulent content to unknowing website visitors . To accomplish this , they first detect websites that show cross-site scripting ( XSS ) vulnerabilities in WordPress themes or plugins , then inject malicious JavaScript code into them . When victims visit these websites , they are led to a landing web page that hosts fraudulent content , via one or more intermediary redirect domains that are also controlled by the actors . Additionally , as a means to avoid detection , the actors have integrated several features into their JavaScript and require the following conditions from the user to trigger the redirect :
• The user must visit the WordPress website from a search engine . For example , the referrer URL can be https :// www . google . com /.
• Cookies are enabled in the user ’ s web browser .
• The user has not visited a VexTrio compromised web page in the past 24 hours .
Prevention and mitigation
VexTrio primarily abuses vulnerable WordPress websites to deliver unwanted content to visitors . Embedding malicious JavaScript code in oft-visited web blogs and other popular but vulnerable websites helps the actors widen their reach . Infoblox assesses the VexTrio DDGA campaign could serve as a delivery vector for other cybercrime syndicates and thereby enable followon attacks . Infoblox recommends the following actions for protection from this kind of attack :
• Disabling JavaScript on web browsers completely , or enabling
Mohammed Al-Moneer , Regional Director , META at Infoblox
it only for trusted sites , can help mitigate attacks employed by VexTrio actors , who capitalise on the use of JavaScript to run their tasks .
• Consider using an adblocker program to block certain malware activated by popup ads . Along with an adblocker , consider using the web extension NoScript , which allows JavaScript and other potentially harmful content to execute only from trusted sites to reduce the attack surface available to actors .
• Implementing Infoblox ’ s RPZ feeds in firewalls can stop the connection by actors at the DNS level , as all components described in this report ( compromised websites , intermediary redirect domains , DDGA domains and landing pages ) require the DNS protocol . TIG detects these components daily and adds them to Infoblox ’ s RPZ feeds .
• Leveraging Infoblox ’ s Threat Insight service , which performs real-time streaming analytics on live DNS queries , can provide high-security coverage and protection against threats that are based on DGA as well as DDGA .
Newly observed domains and the Ukraine war
The surge in registration and observation of new domains related to the Russian invasion of Ukraine has been over for some time . Nevertheless , Infoblox research shows that low levels of new phishing campaigns , donation scams and other suspicious activities are still being launched in attempts to take advantage of Ukraine ’ s crisis .
Overall , data shows that the volume of legitimate domains is greater than malicious websites in Infoblox ’ s environment . The surge in newly observed domains began in the first week after the invasion ( the beginning of March ). For several weeks , many legitimate sites were created to help provide relief to the people of Ukraine ; however , cyberthreat actors and scammers also took advantage of the crisis , creating their own sites and adding to the volume of newly observed domains . By the end of March ( week 13 ), the number of domains started to decrease and the number of newly observed domains in Infoblox ’ s data began to stabilise . The most recent trends , beginning in April ( week 14 ), show that , on average , there continues to be a higher – though only slightly – number of newly observed domains ( legitimate and suspicious / malicious ) in comparison to before the invasion .
Although the number of malicious domains is trending down , users should remain vigilant . From previous experience , bad actors will continue to exploit individuals through email , malvertising and other means as long as they can . For comparison , while COVIDrelated malware campaigns peaked in 2020 , we still see them two years later . Users should carefully inspect requests for donations from organisations they are not familiar with and they should not click on links from unknown sources .
“ Our report shares research on many dangerous malware threats ,” said Mohammed Al-Moneer , Regional Director , META at Infoblox . “ Security effectiveness depends on timely , upto-date threat intelligence . Using tools included in Infoblox BloxOne Threat Defense , security teams can collect , normalise and distribute highly accurate , multi-sourced threat intelligence to strengthen the entire security stack . Additional capabilities can help SecOps to accelerate threat investigation and response by up to two-thirds .” u www . intelligentciso . com
21